//Oh, in an aside, the Guardian is reporting from a supposedly knowledgeable US intelligence source that "We hack everyone everywhere. We like to make a distinction between us and the others. But we are in almost every country in the world" If that's true, not very much of it's been brought to light by the commercial security industry, suggesting that there are some interesting techniques in need of discovery.//

Bruce Schneier, an encryption specialist and fellow at Harvard's Berkman Center for Internet and Society, told The Guardian, "Cryptography forms the basis for trust online. By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the Internet."

Ultimately, the NSA is just another hacker that will in the final analysis improve the overall security of network communications. The technology is there - and now we have the motivation to implement it. The golden age of NSA snooping is on its way out.

//Right off the bat I knew this was going to be an odd conversation, since this gentleman seemed convinced that the NSA had vast capabilities to defeat encryption. And not in a 'hey, d'ya think the NSA has vast capabilities to defeat encryption?' kind of way. No, the defeating was a given. We were just haggling over the details.

Oddness aside it was a fun (if brief) set of conversations, mostly involving hypotheticals. If the NSA could do this, how might they do it? What would the impact be? I admit that at this point one of my biggest concerns was to avoid coming off like a crank. After all, if I got quoted sounding too much like an NSA conspiracy nut, my colleagues would laugh at me. Then I might not get invited to the cool security parties.

All of this is a long way of saying that I was totally unprepared for today's bombshell revelations describing the NSA's efforts to defeat encryption. Not only does the worst possible hypothetical I discussed appear to be true, but it's true on a scale I couldn't even imagine. I'm no longer the crank. I wasn't even close to cranky enough.//

So just curious from a technical point of view ... Does the cracking involve stealing private keys somehow, or does it involve actually cracking public key encryption from the ground up? My guess is that the basic PK encryption methods are "theoretically" still secure as long as the private keys are secret. Most of the effort amounts to ways of obtaining the private keys. Any thoughts?

We don't really know. Bruce Schneier has suggested in his essays at the Guardian that it's mainly introducing weaknesses into the implementations, rather than compromising the algorithms per se. But I haven't seen anything detailed enough to form any judgement.

Greg - I agree with you on the general direction this moves, but I think this kind of cultural shift actually takes a while and won't have a huge immediate effect. In particular, I would expect it to be driven by government mandates, which won't be an overnight thing.

So far none of the Snowden revelations have really been revelations, and it is not surprising that the nsa is going after cryptography... i mean, that's basically just high-tech lock-picking, yes?

What has surprised me is that it has gone into the business of manufacturing locks and of determining lock standards. i suppose it should not be surprising.

Most disturbing is the fact that nsa and gchq are naming their spying operations after battles in each countries' respective civil wars, and that the general citizenry is openly referred to as "adversaries" in internal documents. It would appear that nsa has declared war on the population. None of this spying has anything whatever to do with "national security."

Actions

About Me

I'm a scientist and innovator in the technology industry, with a broad range of interests and experiences. I have a Physics PhD, MS in CS, and have done research, lived in cohousing communities, run a business, and designed technology products. Professionally, I have mainly worked on computer security problems. Currently I'm Adjunct Professor of Computer Science at Cornell, but this blog represents my views only.
Email me at stuart -- at -- earlywarn -- dot -- org. I do read all email, but because the blog is a part-time unfunded enterprise, I often fail to reply due to lack of time - apologies.